Cyber Essentials Malware Explained

Cyber Essentials Malware Explained

Malware is software or web content that has been designed to cause harm. For example, the recent WannaCryattack used a form of malware which makes data or systems unusable until the victim makes a payment. Viruses are the most well-known form of malware. These programs infect legitimate software, make copies of themselves and send these duplicates to any computers which connect to their victim.

How malware works

There are various ways in which malware can find its way onto a computer. A user may open an infected email, browse a compromised website or open an unknown file from removable storage media, such as a USB memory stick.

Three ways to defend against malware

Antivirus software is often included for free within popular operating systems, it should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets might require a different approach and, if configured in accordance with the NCSC’s guidance, separate antivirus software might not be necessary.

You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors/sources, as these will not have been checked.

For those unable to install antivirus or limit users to approved stores, there is another, more technical, solution. Apps and programs can be run in a ‘sandbox’. This prevents them from interacting with, and harming, other parts of your devices or network.

Malware protection

Objective

Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.

Introduction

The execution of software downloaded from the Internet can expose a device to malware infection.

Malware, such as computer viruses, worms and spyware, is software that has been written and distributed deliberately to perform malicious actions. Potential sources of malware infection include malicious email attachments, downloads (including those from application stores), and direct installation of unauthorised software.

If a system is infected with malware, your organisation is likely to suffer from problems like malfunctioning systems, data loss, or onward infection that goes unseen until it causes harm elsewhere.

You can largely avoid the potential for harm from malware by:

detecting and disabling malware before it causes harm (anti-malware)

executing only software that you know to be worthy of trust (whitelisting)

Example

Acme Corporation implements code signing alongside a rule that allows only vetted applications from the device application store to execute on devices. Unsigned and unapproved applications will not run on devices.

The fact that users can only install trusted (whitelisted) applications leads to a reduced risk of malware infection. The ransomware was able to encrypt far more data than would have been possible with standard user privileges, making the problem that much more serious.

Requirements under this technical control theme

The Applicant must implement a malware protection mechanism on all devices that are in scope. For each such device, the Applicant must use at least one of the three mechanisms listed below:

Anti-malware software

The software (and all associated malware signature files) must be kept up to date, with signature files updated at least daily. This may be achieved through automated updates, or with a centrally managed deployment.

The software must be configured to scan files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder.

The software must scan web pages automatically when they are accessed through a web browser (whether by other software or by the browser itself).

The software must prevent connections to malicious websites on the Internet (by means of blacklisting, for example) — unless there is a clear, documented business need and the Applicant understands and accepts the associated risk.

Application whitelisting

Only approved applications, restricted by code signing, are allowed to execute on devices. The Applicant must:

actively approve such applications before deploying them to devices

maintain a current list of approved applications

Users must not be able to install any application that is unsigned or has an invalid signature.

Application sandboxing

All code of unknown origin must be run within a 'sandbox' that prevents access to other resources unless permission is explicitly granted by the user.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.